CVE-2025-15115 is a medium-severity authentication bypass vulnerability identified in the Petlibro Smart Pet Feeder Platform, specifically affecting versions up to 1.7.31. The root cause is a flaw in the OAuth token validation process within the platform's social login system. Attackers can exploit this by sending crafted HTTP requests to the /member/auth/thirdLogin endpoint, supplying arbitrary Google IDs and phoneBrand parameters. Due to insufficient verification of OAuth tokens, the platform erroneously grants full session tokens to unauthenticated users, effectively bypassing authentication controls. This allows attackers to impersonate any user, gaining unauthorized access to their accounts and potentially controlling their smart pet feeders. The vulnerability is exploitable remotely over the network without requiring any privileges or user interaction, increasing its risk profile. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) reflects that the attack is network-based, easy to exploit, and does not require authentication or user interaction, but the impact on confidentiality and integrity is limited to the compromised accounts and devices. No patches or known exploits are currently reported, but the flaw represents a significant risk to user privacy and device security. The vulnerability highlights the importance of robust OAuth token validation and secure implementation of third-party authentication mechanisms in IoT platforms.

For European organizations and consumers using the Petlibro Smart Pet Feeder Platform, this vulnerability could lead to unauthorized access to user accounts, resulting in privacy breaches and potential manipulation of smart pet feeders. Attackers gaining control over these devices could disrupt pet feeding schedules, cause distress to pet owners, or use the compromised accounts as pivot points for further attacks within home or organizational networks. While the direct impact on critical infrastructure is low, the breach of personal data and device control undermines user trust and may lead to reputational damage for vendors and service providers. Additionally, compromised devices could be leveraged as part of larger botnets or for lateral movement in connected home environments. The medium severity score reflects that while the vulnerability does not directly impact system availability or critical infrastructure, the ease of exploitation and lack of authentication requirements make it a notable risk for privacy and device integrity in European markets where smart pet feeders are adopted.

Immediate mitigation should focus on monitoring and restricting access to the /member/auth/thirdLogin endpoint, including implementing rate limiting and anomaly detection to identify suspicious authentication attempts. Organizations and users should apply vendor-provided patches as soon as they become available to address the OAuth token validation flaw. In the interim, disabling social login features or restricting them to verified OAuth tokens can reduce exposure. Vendors should enhance OAuth token validation by verifying token signatures, issuer claims, and expiration times rigorously before granting session tokens. Implementing multi-factor authentication (MFA) for account access can further mitigate unauthorized access risks. Security teams should audit logs for unusual login patterns and educate users about potential phishing attempts exploiting this vulnerability. Network segmentation of IoT devices and limiting their access to critical networks can reduce the impact of compromised devices. Finally, vendors should conduct comprehensive security reviews of third-party authentication integrations to prevent similar issues.